ima: pass full xattr with the signature
For possibility to use xattr type for new signature formats, pass full xattr to the signature verification function. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
parent
d3634d0f42
commit
b1aaab22e2
@ -44,9 +44,10 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
|
||||
}
|
||||
}
|
||||
|
||||
switch (sig[0]) {
|
||||
switch (sig[1]) {
|
||||
case 1:
|
||||
return digsig_verify(keyring[id], sig, siglen,
|
||||
/* v1 API expect signature without xattr type */
|
||||
return digsig_verify(keyring[id], sig + 1, siglen - 1,
|
||||
digest, digestlen);
|
||||
case 2:
|
||||
return asymmetric_verify(keyring[id], sig, siglen,
|
||||
|
@ -123,7 +123,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
|
||||
goto out;
|
||||
}
|
||||
|
||||
xattr_len = rc - 1;
|
||||
xattr_len = rc;
|
||||
|
||||
/* check value type */
|
||||
switch (xattr_data->type) {
|
||||
@ -143,7 +143,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
|
||||
if (rc)
|
||||
break;
|
||||
rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
|
||||
xattr_data->digest, xattr_len,
|
||||
(const char *)xattr_data, xattr_len,
|
||||
calc.digest, sizeof(calc.digest));
|
||||
if (!rc) {
|
||||
/* we probably want to replace rsa with hmac here */
|
||||
|
@ -205,7 +205,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
|
||||
case EVM_IMA_XATTR_DIGSIG:
|
||||
iint->flags |= IMA_DIGSIG;
|
||||
rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
|
||||
xattr_value->digest, rc - 1,
|
||||
(const char *)xattr_value, rc,
|
||||
iint->ima_hash.digest,
|
||||
iint->ima_hash.length);
|
||||
if (rc == -EOPNOTSUPP) {
|
||||
|
@ -74,6 +74,7 @@ struct ima_digest_data {
|
||||
* signature format v2 - for using with asymmetric keys
|
||||
*/
|
||||
struct signature_v2_hdr {
|
||||
uint8_t type; /* xattr type */
|
||||
uint8_t version; /* signature format version */
|
||||
uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */
|
||||
uint32_t keyid; /* IMA key identifier - not X509/PGP specific */
|
||||
|
Loading…
Reference in New Issue
Block a user